Tag: Virtru

Is your company prepared for the next big data breach? According to a study by Ponemon Institute, which surveyed 567 executives in the United States on how prepared they think their companies are to respond to a data breach, the following findings were made:

Most respondents believe their companies are not prepared to deal with the consequences of a data breach.

Most companies have data breach response plans, but they are ineffective.

Data breach response plans are often not effective because they are not reviewed in a timely manner.

87% of senior managers upload business files to a personal email or cloud account.

Email malware creation is up 26% year over year, with 317 million new pieces of malware created in 2014.

Hackers targeted 5 out of 6 large companies using email attacks last year — an annual increase of 40%.

Cybercrime has a 1,425% ROI.

With the proliferation of data theft and compromised systems, more companies are addressing data privacy concerns via a renewed focus on security and encryption technology.

To address these data privacy and security concerns, MDaemon administrators and users have three options for keeping confidential email messages and attachments secure – SSL/TLS, Virtru, and OpenPGP. When an email message is sent, SSL or TLS is used to encrypt the connection from the mail client to the server or from the sending mail server to receiving mail server. Virtru provides end-to-end message and attachment encryption, and OpenPGP provides server-side encryption and key management as well as client-side encryption (when used with an OpenPGP plug-in on the mail client).

Encrypting the Connection with SSL or TLS

When you use POP or IMAP to retrieve your email messages, your username and password are transmitted in clear-text across the internet. This means that anyone using the same network or wireless connection as you, or anyone who has access to internet traffic at your ISP, can potentially intercept your data and read your login credentials. A hacker with malicious intent can then read your email, steal confidential information, or send out thousands of spam messages from your account. Your email credentials are valuable to spammers because the success rate of their solicitations is much greater than if they had simply forged the return-path of the message (which is characteristic of most spam messages).

One method for preventing hackers from being able to “sniff out” private data that’s in transit over the network is to use SSL or TLS. SSL and TLS are methods for encrypting the connection between two mail servers (SMTP) or between the mail server & mail client (POP & IMAP). In other words, the communication channel is encrypted – not the email message itself. A good explanation of SSL can be found here: https://www.digicert.com/ssl.htm

Normally, SMTP traffic is sent from client-to-server or server-to-server over port 25, but if you’d like the SMTP connection to be encrypted using SSL, by default you can configure your mail client to send outbound SMTP traffic over port 465, and you can also configure MDaemon or SecurityGateway to use port 465. Likewise, the default POP3 SSL port is 995, and the default IMAP SSL port is 993.

When SSL or TLS is used, the data itself is not encrypted, but the connection is. If you’d like the data itself to be encrypted, then continue reading for how to encrypt email messages and attachments using Virtru and OpenPGP.

Client-Side Message & Attachment Encryption with Virtru

While SSL & TLS encrypt the connection, Virtru (included with MDaemon) encrypts the actual email message. Virtru provides end-to-end encryption – meaning the message is encrypted on the sending client and decrypted on the receiving client. Messages encrypted via Virtru are stored in their encrypted state on the server and cannot be decrypted without the proper keys. Virtru is included with MDaemon.

With OpenPGP, messages are encrypted on the server, but they can also be encrypted on the mail client if an OpenPGP plug-in has been installed. The MDaemon administrator enables the OpenPGP features, creates public & private keys for users, and selects users who are allowed to use OpenPGP. Use the MDPGP configuration screen (located under the Security menu) to configure automatic encryption & key exchange, encryption key size and expiration, and to import keys. You can also create content filter rules to encrypt messages that meet specific criteria using OpenPGP.

This knowledge base article contains step-by-step instructions for enabling MDaemon’s OpenPGP features, configuring who can use it, and creating public & private keys for users.

Are These Features Easy to Use?

SSL and TLS are enabled by simply enabling the SSL ports on the mail server and configuring your mail client to use the SSL ports.

With Virtru, you’re up and running by simply enabling the feature in WorldClient. When you enable Virtru in WorldClient, your request is first sent to Virtru for processing. Within seconds, you’ll receive a pop-up message indicating that Virtru is now ready to start encrypting and decrypting your messages and message attachments. It’s that simple!

And for OpenPGP, options are available to help automate the encryption, decryption, and key import/exchange processes.

Conclusion

To recap, SSL & TLS can be used to help prevent eavesdropping on your email communication channel by encrypting the connection, while Virtru & OpenPGP can be used to help keep your email messages safe from unauthorized access by encrypting the actual email messages and attachments. Together, these security measures help to ensure that your confidential business data remains safe from unauthorized access.

Are you ready to ensure your important business communications are safe from prying eyes? Then download MDaemon and get started with SSL, Virtru, and OpenPGP!

How often have you heard someone say “If you’re not doing anything illegal, then you have nothing to hide?” When asked this, I tend to respond with, “OK, then how about you give me the login credentials for all of your email accounts, including the ones you use for personal use?” I think of this as analogous to allowing a stranger to walk around in your house. Hey, it’s OK as long as you’ve got nothing to hide, right? The point is that, no matter what is contained in our electronic data, most of us want peace of mind in knowing that it isn’t being accessed by unauthorized individuals.

This concern for privacy doesn’t just apply to individuals. It applies to businesses as well. Businesses rely on electronic communication to send sensitive information such as invoices, employee records, financial reports, and other confidential data. In fact, businesses currently send more than 100 billion emails each day, and that number is projected to skyrocket to almost 140 billion emails a day in another year. If this information gets into the wrong hands, it can lead to devastating losses for the company, as well as damage to its reputation. For example, in 2013 and 2014, Target suffered breaches of approximately 110 million customer records in two separate attacks. Earlier last year, a security expert discovered that 272.3 million accounts had been stolen from Google, Yahoo, Microsoft, and Mail.ru (Russia’s most popular email service). In 2013, Yahoo suffered a breach that is believed to have impacted over 1 billion users. In September of 2016, at least 500 million Yahoo user accounts were compromised in a massive data breach that may have included names, email addresses, phone numbers, birthdates, and hashed passwords. In 2012, 165 million LinkedIn accounts were compromised. Though different attack vectors may have been used in each of these cases, the targeted information could have been safeguarded if it had been encrypted. Moreover, all it takes is for one host to be infected with malware to allow the interception and eavesdropping of confidential email content.

Breaches perpetrated by hackers aren’t the only threat to a company’s data. User error also poses a significant threat. According to the whitepaper “Content Encryption – Key Issues to Consider” from Osterman Research, these examples of users mistakenly sending unencrypted content were cited:

An employee at Nationstar Mortgage mistakenly emailed copies of customers’ W-2 forms to an employee at Greenlight Mortgage, revealing Social Security numbers, names, addresses and other sensitive information.

845 patients of Tulare County Health received information on how to access protected health information (PHI) via the administration’s medical portal due to an employee mistake.

Graduate students at the South Dakota School of Mines and Technology were inadvertently sent an email attachment that included the student identification numbers, grade point averages and other information of about 350 fellow students.

The costs of not sufficiently protecting your data are high. The findings from a study conducted by the Ponemon Institute show that the average cost of a security breach in the United States was $201 per compromised data record – $32 for detecting the breach and notifying the affected individuals, $55 for damage control costs including legal fees, investigations, fines and remediation, and $114 in loss of business due to customer abandonment. Regulated industries such as healthcare and financial services have the most costly data breaches due to fines and the higher than average rate of lost business and customers. In addition to financial losses, companies may also suffer damage to their reputation.

How could these incidents have been prevented? If these businesses had encrypted their data, they could have prevented unauthorized access to confidential information in the event of a breach. Encryption helps protect corporate and financial data of companies, as well as the personal data of their employees and customers. When data is encrypted, even if a user’s account has been hacked, the data would still be unreadable. Encryption also helps companies meet strict regulations such as FERPA, GLBA, and PCI compliance. Encryption solutions also offer the benefit of proof of identity when email messages are digitally signed, ensuring that the message is authentic and verified as having been sent from the purported sender.

A common misconception about email encryption is that it is only needed for larger businesses; however, small and medium size businesses are targeted just as frequently as large ones, and often can be affected much more severely in the event of an email hack. While a larger company may be able to financially survive a breach (but still at significant loss), a severe data breach could put a small company out of business. This is just one of many reasons why encryption is so important.

One of the most common challenges for email encryption is that it has had a reputation of being difficult to use, often requiring cumbersome key exchanges and extensive configuration. MDaemon’s client-side encryption feature (via Virtru) and server-side encryption (via OpenPGP) were designed for convenience and ease of use.

Virtru’s client-side encryption service is built into WorldClient, MDaemon’s webmail client. Setup is as easy as checking a box and verifying your identity. Once enabled, you can simply follow the steps outlined on this page to encrypt your messages. For server-side encryption, MDaemon’s OpenPGP settings make it easy to automate encryption of messages as they pass through the server. Administrators can follow steps outlined in this knowledge base article to enable OpenPGP, configure who can use it, and create keys for their users. This post includes a tutorial video on how to use the OpenPGP features in MDaemon, including how to encrypt an email message using special commands in the subject line, as well as how to automate the encryption process using the content filter.

No business is too small to protect its sensitive data from theft. If you’d like to ensure your company’s emails and attachments are safe, you should always encrypt. A few extra steps now can safe a great deal of headache later.

In a previous video and blog post, I demonstrated how to maintain data privacy by encrypting email messages in WorldClient (MDaemon’s webmail client) using Virtru. However, this easy-to-use client-side email encryption feature does more than just email encryption. When you use Virtru Pro, you can set a message expiration period, revoke sent messages, or disable forwarding. In today’s video tutorial, I show you how to set a message expiration using WorldClient and Virtru.

Recently, I created a video and blog post about Virtru Email Encryption for MDaemon, to demonstrate its features, benefits, and ease of use. Following along with its ease of use, I’ve created the following animation to show you just how easy Virtru is to use. Simply enable Virtru support in WorldClient (MDaemon’s webmail client), enable the Virtru features by clicking on the small “V” button within the email compose window, and then click on “Send Encrypted.” It really is that simple!

Today we’ve launched the newest version of the MDaemon email server with some exciting new features. Staying true to the company’s focus on email security and end user ease of use, we believe these new features will be welcomed by many of our users across industries.

Encryption Layers for Extended Email Privacy

With a growing emphasis in the market on email privacy, MDaemon 15.5 introduces additional encryption features using Vitru and Open PGP to make it easy for users and administrators to keep email communications private.

On the client side, WorldClient users can enable Virtru for end-to-end encryption. Basic encryption for emails and attachments is included for free within the WorldClient settings menu. Virtru encrypts the user’s email and attachments and does not have access to the encryption keys. For organizations that need to comply with HIPAA or need additional security controls, Virtru Pro is available for an annual subscription of only $24 per user. Virtru Pro allows users and administrators to revoke messages at anytime, see and control forwarding, as well as add expiration data to email messages. For Microsoft Outlook users, the same features (free and Pro) are available using the Virtru for Outlook add-on.

On the server side, Open PGP for MDaemonhas been added to give administrators the ability to use encryption, decryption, and basic key management capabilities through OpenPGP support. This additional layer helps administrators who want to ensure user compliance by managing encryption settings at the server versus the user implemented client level. Also, MDaemon’s Content Filter now contains actions to encrypt and decrypt messages. And finally, server-side encryption capabilities are beneficial when using email archiving with MDaemon.

Managing Employee Workload and Overtime with Email Do Not Disturb

Companies in many countries are being challenged by the need to manage email access “after hours” to prevent overtime pay and promote a stronger work/life balance. To date, most companies can only implement Human Resource policies to address the issue. To help IT Administrators deliver another layer of compliance to the organization, MDaemon 15.5 introduces its “Email Do Not Disturb” feature.

Located within the Accounts | Groups & Templates settings, Do Not Disturb allows the MDaemon administrator to set a time frame during which email may not be accessed by its users. Accounts in this state will receive incoming mail but users may not be able to login to their MDaemon account or send/reply to messages until the Do Not Disturb period has lapsed.

Adding Public Contacts Support in ActiveSync

The ActiveSync server has an option to include and merge a user’s public contacts with their default contacts. This allows users of clients such as Outlook 2013, which does not support multiple contacts folders or global address list searching, to access public contacts. The public contacts are read-only and tagged with “Public” and “Read-Only” categories.

Browser* Desktop Notifications – When launching WorldClient using the LookOut or WorldClient theme, the browser will prompt the user to allow desktop notifications. If accepted, the user will receive notifications of new email messages, new Instant Messages (in the case that the corresponding chat is not in focus), and any change in status of a chat buddy.
*Desktop notifications are not supported by Internet Explorer.

Password Recovery – If enabled, users who have permission to edit their password will be able to enter an alternate email address to reset their password in case they forget it. Once set, if the user attempts to log in with an incorrect password a “forgot password?” link will appear and direct them to a page that asks them to confirm their password recovery email address. If entered correctly, a message containing a link to a page that allows them to change their password is sent. This feature is disabled by default.

Creating a New Event, Task, or Note via Email – Users can easily convert an email message to an event, task or note. This enables users to more easily follow-up on emails that contain information relevant to projects, meetings or other time sensitive activities.